CN115643038A - Frame invalidation via receive line in bus system - Google Patents
Frame invalidation via receive line in bus system Download PDFInfo
- Publication number
- CN115643038A CN115643038A CN202210840742.XA CN202210840742A CN115643038A CN 115643038 A CN115643038 A CN 115643038A CN 202210840742 A CN202210840742 A CN 202210840742A CN 115643038 A CN115643038 A CN 115643038A
- Authority
- CN
- China
- Prior art keywords
- bus system
- bus
- controller
- node
- intrusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 33
- 230000005540 biological transmission Effects 0.000 claims description 21
- 230000000903 blocking effect Effects 0.000 claims description 3
- 125000004122 cyclic group Chemical group 0.000 claims description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000018109 developmental process Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 239000004020 conductor Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000008054 signal transmission Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000001771 impaired effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000704 physical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/12—Arrangements for remote connection or disconnection of substations or of equipment thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
One aspect of the present disclosure relates to a computer-implemented method for intercepting an intrusion on a bus system, comprising identifying, by an intrusion detection system, a frame sent by a further node of the bus system onto a bus of the bus system as an intrusion on the bus system; transmitting data onto a receive line of a node device to manipulate signals corresponding to frames arriving via the bus on the receive line, wherein the receive line is disposed between a transceiver and a controller of the node device. Other aspects of the disclosure relate to a node device and a bus system for intercepting an intrusion into the bus system.
Description
Prior Art
A bus system may have a set of one or more lines (bus) via which a plurality of nodes (at least two) are connected to each other for data exchange, wherein each node typically comprises at least one processor. One advantage of the bus system can be seen here in that a separate line between each two nodes is avoided. Therefore, a bus system is typically used when a larger number of nodes (according to the bus system protocol) should be able to communicate with each other. The electromechanical system may comprise a large number of (electronic) control devices, which may interact via a bus system (or multiple bus systems, for example with one or more gateways). The functionality of such technical systems is often highly dependent on such interactions. For example, even more than a hundred control devices (e.g., engine controllers, transmission controllers, antilock braking systems/vehicle dynamics control, airbags, body control units, driver assistance systems, car alarms, etc.) in a non-autonomously driven vehicle may be networked via one bus system. The increasing digitization of technical systems and the automation and networking may result in larger and larger bus systems (i.e. with more nodes).
Controller Area Network (CAN), in which control devices of a technical system (for example a vehicle) are connected via a CAN bus and CAN communicate with one another according to a CAN protocol, is a well-known standardized serial bus system according to the multi-master principle, in which all control devices in the CAN have the same rights. For example, CAN (now in various versions) and/or further developments inspired by CAN are used in all types of electromechanical technical systems (e.g. in the automotive industry, automation technology, elevator installations, medical technology, aerospace technology, rail vehicle manufacturing, shipbuilding, etc.).
CAN and/or further developments inspired by CAN (abbreviated to CAN, etc.) have been and are being developed in such a way that the data transmission via the CAN bus is as independent as possible of external random disturbances (for example in the sense of EMV). For example, the CAN bus CAN be implemented by two twisted pair conductors (CAN _ HIGH, CAN _ LOW), so that symmetrical signal transmission is achieved. Thus, CAN and the like have proven their value, in particular also in safety-relevant fields (for example in vehicles) which depend on a high degree of data security. While CAN and the like are relatively simple, robust and fast, on the other hand CAN and the like may be susceptible to targeted attacks and/or manipulations from the outside.
In general, such an intrusion into the bus system may, for example, comprise the transmission of a message (also referred to as a frame) by an additional and unintended node of the bus system or by an intended but intruded node of the bus system. Such messages may interfere with the communication of the intended node of the bus system. In particular, a dummy message can then be sent by targeted spoofing (for example, by specifying the identity/identifier of the intended node), which has a negative effect on the bus system and on the operation of the associated technical system. Therefore, during the increasing digitalization (more interfaces) of technical systems and also during automation and networking, bus systems, namely CAN and the like, should be protected against intrusion.
Intrusion Detection Systems (IDS) are known from the prior art, which are designed to recognize intrusions into bus systems. Here, the physical properties of the individual (expected) nodes in the bus system are usually used to identify the origin of the transmitted messages. For example, a clock-based intrusion detection system (CIDS) is based on individualized clock offsets of the respective processors of each node. Alternatively or additionally, the personalized voltage characteristics of the nodes may be analyzed and identified. Another possibility (e.g. TCAN, TIDAL-CAN..) consists, for example, in determining the position of the transmitting node in the bus system and identifying this node as an unintended and therefore invasive node if necessary by comparison with the known topology/architecture/design of the bus system. One type of intrusion detection system is implemented by a plurality/number of intrusion detection (sub-) systems, i.e. one for each node of the bus system, wherein the intrusion detection (sub-) system of each node is designed to recognize abuse of its own (i.e. the corresponding node's) identity/identifier. If each node of the bus system has such an intrusion detection (sub-) system, an intrusion into the bus system can be recognized by at least one node.
If an intrusion is identified by the intrusion detection system, the intrusion may be recorded in the node for archiving and subsequent analysis, for example. Alternatively or additionally, a user (e.g., a driver) of a technical system (e.g., a vehicle) or other service site may be notified via a user interface. In addition to or instead of these passive reactions, it may be desirable to react actively and as immediately as possible, in particular in order to prevent manipulation of the bus system and/or the associated technical system. For this purpose, for example, an error message (also referred to as an error frame) can be sent to the bus and thus to all nodes of the bus system.
Patent us10,361,934b2 discloses an embodiment of an apparatus and a method. A CAN device includes: a comparison module configured to be connectable with a CAN transceiver, wherein the comparison module has a receive data (RXD) interface configured to receive data from the CAN transceiver; a CAN decoder configured to decode a CAN message identifier received from the RXD interface; an identifier storage configured to store entries corresponding to at least one identifier; and comparison logic configured to compare the identifier received from the CAN message with the entries stored in the identifier memory and to output a coincidence signal when the comparison indicates that the received CAN message identifier is coincident with an entry stored in the CAN device. The CAN device further includes a signal generator configured to output a signal for invalidating the CAN message in response to the coincidence signal.
Disclosure of Invention
A first general aspect of the present disclosure is directed to a computer-implemented method for intercepting an intrusion on a bus system, comprising identifying, by an Intrusion Detection System (IDS), a frame sent by a further node of the bus system onto a bus of the bus system as an intrusion on the bus system. The method also includes transmitting data onto a receive line of a node device to manipulate signals corresponding to frames arriving via the bus on the receive line, wherein the receive line is disposed between a transceiver and a controller of the node device. The signals can be manipulated such that each of a number of recessive bits arriving via the bus is covered by a dominant bit and/or the level on the receiving line is set to a specific level over a period of time. A sequence of directly successive dominant bits can thus be generated, which sequence is to be received by the controller of the node device. According to a bus system protocol, a sequence of directly successive dominant bits can cause a controller of a node device of the bus system to send an error frame onto the bus, thereby invalidating and in particular blocking the transmission of a frame identified as an intrusion, thereby intercepting an intrusion on the bus system.
A second general aspect of the present disclosure relates to a node device for a bus system, comprising a transceiver designed for connection to a bus of the bus system. The node arrangement further comprises a controller which is connected to the transceiver via a transmission line and a reception line, wherein the controller and the transceiver are designed to transmit data from the controller to the transceiver via the transmission line and from the transceiver to the controller via the reception line. The node device also includes a processor. The node device also optionally includes an Intrusion Detection System (IDS). The node device is further designed to perform a method for intercepting an intrusion into a bus system according to the first general aspect (or according to an embodiment thereof).
A third general aspect of the present disclosure is directed to a bus system comprising a bus and at least one node device according to the second general aspect (or embodiments thereof) connected to the bus via a transceiver of the at least one node device. The bus system further comprises at least one further node of the bus system, wherein each further node of the bus system comprises a further transceiver, a further controller and a further processor. The bus system may optionally further comprise at least one further node as a third node of the bus system.
The advantages of the method according to the first aspect (or embodiments thereof) can be seen from the fact that: instead of, for example, merely manipulating signals on a transmission line, which is likewise arranged between the transceiver and the controller of the node device, signals on a reception line are manipulated. In principle, it is nevertheless possible, for example, to transmit a sequence of immediately successive dominant bits onto the transmission line via a corresponding manipulation for intercepting an identified intrusion, in order, for example, to generate (possibly by a controller of a further node of the bus system) an error frame on the bus of the bus system according to the bus system protocol and thus to intercept an intrusion into the bus system. However, this possibility of writing directly onto the bus (i.e. via the transceiver rather than via the controller) may be dangerous, since the entire bus and thus the entire bus system may be blocked/shut down, e.g. by a constant high level. In other words, this possibility may represent a gateway (Einfallstor) of a disruptive intrusion into the bus system if necessary (for example, if it cannot be structurally prevented), although this possibility is actually designed precisely for protecting the bus system. Instead, the method according to the first aspect (or embodiments thereof) is protected against such destructive intrusions. Here, the sequence of directly successive dominant bits sent onto the receiving line (or more generally, the result of a manipulation for intercepting an identified intrusion) is processed by the controller of the node device according to the bus system protocol. Thus, although an error frame can be sent onto the bus to inform further nodes of the bus system that an intrusion frame has been recognized, the bus is not permanently blocked/shut down. Thus, signal manipulation on the receive line for intercepting intrusions can be assessed as more secure.
Furthermore, writing to the receive line (and if necessary to the transmit line) requires only a small hardware cost. In practice, only one line section and one interface (e.g. general purpose input output port GPIO) of one processor (not necessarily the processor of at least one node device) is required. In case the processor with the interface is a processor of at least one node device, this line segment may be considered a controller bypass line, since the controller will be bypassed. In particular, only small and cost-effective hardware changes are required in comparison with the node devices of the known bus system, in particular when an Intrusion Detection System (IDS) is implemented in the processor of at least one node device. In practice, no additional comparison module is then required, for example. Furthermore, in particular, the controller of the node device and the bus system protocol of the known bus system do not have to be adapted. This is advantageous because the bus system and its bus system protocol (for example the CAN protocol) are generally standardized and cannot be changed arbitrarily frequently/quickly. Furthermore, the controller bypass line is not normally used (i.e. in the absence of an intrusion), and therefore the functionality of the bus system is not normally changed.
It is also particularly advantageous for the computer-implemented method for intercepting an intrusion into a bus system, and in particular by means of an Intrusion Detection System (IDS), according to the first aspect (or embodiments thereof), that it is sufficient to add a controller bypass line only for at least one node of the bus system, for example. In other words, the existing bus system may already be adapted by correspondingly adapting the unique node or by adding a node according to the second general aspect (or its implementation) to the bus system according to the third general aspect. Thus, it is already possible to intercept an intrusion into the entire bus system using the method according to the first general aspect (or its embodiments). This method makes it possible to integrate into existing bus systems in a simple and cost-effective manner.
Since writing to the receiving line, intercepting the intrusion, in particular intercepting the frames of the intrusion node, is independent of the bus system protocol. Thus, the intrusion frame can be intercepted (also referred to as invalidated) already before the end-of-frame field and therefore very quickly. In particular, the operation of the technical system (e.g., a vehicle) can thereby be prevented from being disturbed and/or impaired in a timely manner.
The transmission of error frames associated with an interception (e.g. to other nodes in the bus system) is likewise derived from the existing bus system protocols.
The processor of at least one node device may include an Intrusion Detection System (IDS). Thereby eliminating an additional separate processor for an Intrusion Detection System (IDS) and reducing costs.
Drawings
Fig. 1a shows a node device for a bus system, which has a controller bypass line to a transmit line.
Fig. 1b shows an embodiment of a node device for a bus system, which has a controller bypass line to a receiving line.
Fig. 2a shows a node device for a Controller Area Network (CAN) with a controller bypass line to a transmit line.
Fig. 2b shows an embodiment of a node device for CAN with a controller bypass line to the receive line.
Fig. 3 shows a bus system.
Fig. 4 shows CAN.
FIG. 5 schematically illustrates a computer-implemented method for intercepting an intrusion into a bus system.
Detailed Description
The computer-implemented method 300, the node device 100 and the bus system 200 are intended to identify and intercept intrusions into the bus system 200. The bus system of the present disclosure may be used in many electromechanical systems and in different fields (e.g. systems or applications listed in the background section, such as vehicles). The secure interaction between the nodes of such a bus system is often decisive for the (intended, designated) functionality of the technical system. For example, even more than a hundred control devices (e.g., engine controllers, transmission controllers, antilock braking systems/vehicle dynamics control, airbags, body control units, driver assistance systems, car alarms, etc.) in a non-autonomously driven vehicle may be networked via one bus system. For example, if a control device, for example, which intrudes via a multimedia interface, successfully sends a false signal via the bus system to other control devices (for example, the distance to another traffic participant driving ahead is deliberately too short), an unexpected and sometimes even damaging system reaction (for example, the activation of emergency braking by means of adaptive cruise control) may be triggered. The increasing digitalization of technical systems and the automation and networking may lead to larger and larger bus systems (i.e. with more nodes). Intrusion Detection Systems (IDS) set forth in the prior art can recognize intrusions into the bus system and can be used in the systems of the present disclosure.
A computer-implemented method 300 for intercepting an intrusion on a bus system 200 is disclosed, comprising identifying 310 a frame (also referred to as a message) sent by a further node 140 of the bus system 200 onto a bus 210 of the bus system 200 by an Intrusion Detection System (IDS), e.g. one or more of the intrusion detection systems described in the background section, as an intrusion on the bus system 200. A tap of the bus system 200, even if the bus system has no dedicated node device, in particular a tap of the bus 210, may be seen as a further node 140. The method 300 further comprises transmitting 320 data onto a receive line 122 of the node device 100 to manipulate signals corresponding to frames arriving via the bus 210 on the receive line 122 (to intercept intrusions, i.e. manipulations from the outside), wherein the receive line 122 is arranged between a transceiver 110 (also called transceiver) and a controller 120 (also called control unit) of the node device 100.
In general, the manipulation may include feeding a particular sequence of data and/or a particular level (e.g., a particular level for a particular period of time) onto the receive line 122.
The signal corresponding to a frame arriving via the bus 210 may comprise a frame, i.e. for example a bit sequence, into which further bits not belonging to the frame may for example be inserted according to the bus system protocol. In the case of a bit sequence, the manipulation of the signal may comprise changing (inverting) at least one bit of the bit sequence. The signal may be transformed into a sequence of bits. The signal may be manipulated such that each of a number of recessive bits arriving via the bus 210 is covered by a dominant bit. The arriving recessive bits can arrive one after the other in time, but do not have to arrive directly one after the other in time, since the dominant bit can arrive completely between the recessive bits.
Additionally or alternatively, the manipulation of the signal may include setting the receive line 122 to a dominant level for a period of time (where, for example, the dominant level for the period of time corresponds to a sequence of one or more dominant bits). In this case, then both the recessive bit and the dominant bit may be covered by the dominant bit. It may be forgotten here to check whether the arriving bit is explicit or implicit.
In which case a sequence of directly successive dominant bits may be generated to be received by the controller 120 of the node apparatus 100. The method 300 is schematically illustrated in fig. 5.
According to a bus system protocol (for example, CAN protocol), a sequence of directly successive dominant bits CAN cause 330 the controller 120 of the node device 100 of the bus system 200 to send an error frame onto the bus 210, thereby invalidating and in particular preventing the transmission of a frame identified as an intrusion, thus intercepting the intrusion into the bus system 200. In other words, in contrast to the methods known from the prior art, it is not necessary to actively control the transmission of error frames, since this transmission is automatically generated by the bus system protocol. For example, in the CAN protocol, a level change (e.g., pad adjustment) must be made after five equal-valued bits. Otherwise, the error frame is forced to be transmitted. For example, a sequence of directly successive dominant bits can be generated by the controller bypass line 124 independently of the controller and bus system protocol and thus quickly. It is thereby possible to intercept/invalidate an intrusion frame quickly and in particular before the end-of-frame field of the intrusion frame (and for example after arbitration). Otherwise, i.e. if the bus system protocol is not circumvented, the erroneous frame may not be sent onto the bus to inform other nodes at the earliest at the end of frame field and therefore after the intrusion frame is almost completely transmitted (the end of frame field is usually closer to the end of the frame). The earlier the intrusion frame can be identified and blocked, the earlier the other nodes of the bus system 200 can be informed and protected against damage due to the (non-vanishing) signal propagation time on the bus 210.
A sequence of directly consecutive dominant bits may lead to a negative result of a Cyclic Redundancy Check (CRC) in the controller 120 of the node apparatus 100. The controller 120 may thus be prompted 330 to send an error frame onto the bus 210 according to the bus system protocol.
An Intrusion Detection System (IDS) may be designed to recognize intrusions into the bus system 200. An Intrusion Detection System (IDS) may be designed to recognize an intrusion into the bus system 200, wherein a further node of the bus system 200, in particular a further node 140 of the bus system 200, sends a frame onto the bus 210 with an identifier assigned to a third node 141 of the bus system 200, wherein the third node 141 of the bus system 200 is arranged outside the node device 100 (i.e. a node not corresponding to the node device 100). An Intrusion Detection System (IDS) may (additionally) be designed to recognize an intrusion into the bus system 200, wherein a further node 140 of the bus system 200 transmits a frame onto the bus 210 with an identifier assigned to a third node 141 of the bus system 200, wherein the third node 141 of the bus system 200 corresponds to a node of the node device 100. In other words, intrusion Detection Systems (IDS) may also be designed to recognize abuse of self identifiers.
The method 300 may be designed such that a frame identified as an intrusion may be invalidated before the end-of-frame field of the frame.
In method 300, sending 320 data onto receive line 122 may be from processor 130 of node device 100, where processor 130 is connected to transceiver 110 via controller bypass line 124, where receive line 122 and controller bypass line 124 have a common line portion. In other words, the controller bypass line 124 (or a portion thereof) feeds into the receive line 122.
The processor 130 of the node device 100 may comprise an Intrusion Detection System (IDS).
A node device 100 for a bus system 200 is also disclosed, comprising a transceiver 110 designed to be connected to a bus 210 of the bus system 200. The node arrangement 100 further comprises a controller 120 which is connected to the transceiver via a transmission line 121 and via a reception line 122, wherein the controller and the transceiver are designed to transmit data from the controller to the transceiver via the transmission line 121 and to transmit data from the transceiver to the controller via the reception line 122. The node device 100 further comprises a processor 130 which may be coupled to the controller. Node device 100 may also optionally include an Intrusion Detection System (IDS). The node device 100 is designed to perform a method 300 for intercepting intrusions into the bus system 200. The processor 130 of the node device 100 may be designed to perform the method 300 for intercepting an intrusion into the bus system 200.
As shown in fig. 1a-2b, the processor 130 may be connected to the transceiver 110 (e.g., via a general purpose input output port, i.e., a GPIO port) via at least one controller bypass line 123, 124, and additionally be designed to intercept an intrusion into the bus system 200 recognized by an Intrusion Detection System (IDS) through the at least one controller bypass line 123, 124. In particular, the processor 130 may be connected to the transceiver 110 by at least one controller bypass line 123, 124 (i.e., via the transmit line 121 and/or via the receive line 122), wherein the controller bypass line 123, 124 bypasses the controller 120. If no receive line 122 is present, then in method 300 sending 320 data onto the receive line (122) may be sent from another processor (not shown in fig. 1a-2 b) which in turn is connected to the transceiver 110 and in particular to the receive line 122 via another controller bypass line (also not shown in fig. 1a-2 b). Such other processor may be, for example, a comparison module arranged between the transceiver 110 and the controller 120 of the node apparatus 100.
The advantages of at least one controller bypass line (e.g., 123, 124, other controller bypass lines) can be seen from the fact that: the processor 130 or other processor may change the data (e.g., signals corresponding to frames arriving via the bus 210, and/or signals corresponding to frames to be transmitted onto the bus 210) between the transceiver 110 and the controller 120 (i.e., on the transmit line 121 and/or the receive line 122) at any time in the event an intrusion is identified. Thus, the method 300 can intercept the intrusion message (also referred to as a frame) quickly and in particular already before the end-of-frame field of the intrusion message (and for example after an arbitration), since the bus system protocol can in particular also be circumvented by at least one controller bypass line (e.g. 123, 124, other controller bypass lines). Thus, possible damage and/or manipulations intended by the intrusion message can be intercepted before they occur.
The processor 130 may fully or partially include a controller, i.e., the controller may be a logical subunit of the processor 130. The part of the processor 130 outside the logical sub-unit may then be connected to the transceiver 110 by controller bypass lines 123, 124. The processor 130 may also include, in whole or in part, an Intrusion Detection System (IDS). For example, an Intrusion Detection System (IDS) may be implemented on the processor 130, where one or more portions of the Intrusion Detection System (IDS) (e.g., a repeater) may also be disposed external to the processor 130 (e.g., in the bus 210).
For example, the bus system 200 may be a controller area network, or CAN (system) (now in various versions), and/or further developed as inspired by CAN. In this case, the bus 210 may be referred to as a CAN bus, the transceiver 110 may be referred to as a CAN transceiver, and the controller 120 may be referred to as a CAN controller. In this case, the bus system protocol may be a CAN protocol, for example according to ISO11898-1 or ISO/DIS11898-1 (e.g. protocols CAN, CAN FD, CAN FEFF, CAN FBFF etc.). The data may correspond to serial bits, for example, as in the CAN system. Alternatively, the bus system 200 may be, for example, a Local Interconnect Network (LIN). Alternatively, the bus system 200 may be, for example, a FLEXRAY network. The processor 130 may be, for example, a computer, a Central Processing Unit (CPU), or a microprocessor. In particular, a node may represent a control device (or a part thereof) in a technical system (e.g. a vehicle).
In one embodiment (also referred to as embodiment Tx), the transmit line 121 and the at least one controller bypass line 123 may have a common line portion. In other words, here the processor 130 may be connected to the transmission line 121, wherein the controller 120 is bypassed. Such an exemplary embodiment is shown in fig. 1a and in particular in fig. 2a for CAN or the like.
In a further embodiment (also referred to as embodiment Rx), the receive line 122 and the at least one controller bypass line 124 (may) have a common line portion. In other words, here the processor 130 may be connected to the receive line 122, wherein the controller 120 is bypassed. Such an exemplary embodiment is shown in fig. 1b and in particular in fig. 2b for CAN and the like. Alternatively, there may also be a second controller bypass line 124 having a common line portion with the receive line 122. Thus, the at least one controller bypass line 123 may have a common line portion with the transmission line 121, for example. The Intrusion Detection System (IDS) may be different from that shown in fig. 1a-2b, or may be arranged wholly or partially outside the processor 130.
Also disclosed is a bus system 200 comprising a bus 210 and at least one node device 100, the node device 100 being connected to the bus 210 via a transceiver 110 of the at least one node device 100. Furthermore, the bus system 200 comprises at least one further node 140 of the bus system 200, wherein each further node of the bus system 200 may comprise a further transceiver, a further controller and a further processor. The bus system 200 may optionally also comprise at least one further node as a third node 141 of the bus system 200.
An exemplary embodiment of a bus system 200 is shown in fig. 3 and in particular in fig. 4 for CAN and the like. At least one node device 100 may, for example, represent precisely the node of an existing bus system which is to be changed or added in order to be able to recognize and intercept intrusions into the existing bus system. In the case of CAN or the like, fig. 4 shows in particular the two twisted pair conductors (CAN _ HIGH, CAN _ LOW) of the CAN bus for symmetrical signal transmission. In contrast, bus 210 in FIG. 3 (regardless of the illustration) may include a collection of one or more lines. For example, the further node 140 may send a message onto the bus 210 with an identifier of the node implemented by the at least one node device 100. Alternatively, for example, further node 140 may send a message with the identifier of (optional) third node 141 onto bus 210. In both cases such intrusion may be intercepted by at least one node device 100 and method 300.
In the embodiment Tx of the at least one node apparatus 100 already described, a sequence (or other manipulation) of directly successive dominant bits can (additionally) be transmitted from the transceiver 110 of the at least one node apparatus 100 onto the bus 210 of the bus system 200. In practice, transceiver 110 is not designed/configured to stop transmitting onto bus 210. Thereby, at least one controller of a node of the bus system 200 may also be caused to send error frames onto the bus. The at least one controller of the nodes of the bus system 200 caused to send the error frame onto the bus may be a further controller of the further node 140 sending a frame identified as an intrusion (i.e. an intrusion frame), wherein the further controller of the further node 140 suspends the transmission of the frame before it sends the error frame (also according to the bus system protocol) onto the bus 210 of the bus system 200 according to the bus system protocol. The error frame may for example consist of a dominant bit and/or a recessive bit and depend on the state of an internal error counter. Alternatively or additionally, the at least one controller of the nodes of the bus system 200 caused to send the error frame onto the bus is the controller 120 of the at least one node device 100 (via the transceiver 110 and the receiving line 122) or a further controller of a further node of the bus system 200. In this case, a sequence of directly successive dominant bits may lead to a negative result of a Cyclic Redundancy Check (CRC) in the at least one controller, and may cause the at least one controller to send an error frame onto the bus 210 according to the bus system protocol.
Embodiment Rx (without embodiment Tx), in which at least one controller bypass line 124 has a common line section with the receive line 122 and no further controller bypass line 123 has a common line section with the transmit line 121, can be evaluated as particularly safe, since writing directly (and only via the controller 120) onto the bus 210 of the bus system 200 is not possible. In contrast to the embodiment Tx, it is thus not possible to manipulate with, for example, a constant high level via the bypass. Thereby for example not blocking/shutting down the bus 210 via the at least one controller bypass line 124.
A frame identified as an intrusion may (but need not) be invalidated before the end-of-frame field of the frame. For example, frames identified as intrusions may be invalidated after arbitration and after the identifier is transmitted. Damage and/or handling can thereby be prevented before it occurs.
The method 300 may be implemented in the processor 130 of at least one node device 100 in the node device 100 and/or the bus system 200, so that at least one node device 100 may intercept intrusions into the bus system 200. In particular, it is sufficient that the method 300 is implemented and applied (only) in one node of the bus system 200. The method 300 may represent a computer program capable of/stored on (e.g., as a sequence of signals on) a storage medium.
The method 300 for intercepting an intrusion into a bus system 200, the node device 100 and the bus system 200 as proposed in the present disclosure may relate to a Controller Area Network (CAN), a Local Interconnect Network (LIN) or a FLEXRAY network, wherein in particular the controller area network may comprise one of different versions of a CAN (system) and/or further developments inspired by CAN. The method 300 for intercepting an intrusion into the bus system 200 can be generalized to multi-bus systems, wherein a multi-bus system comprises at least two bus systems, wherein the bus systems are coupled to each other via at least one gateway. From the perspective of each such bus system, at least one gateway may be considered a node (e.g., having multiple receive lines and transmit lines, optionally having multiple controller bypass lines). The method 300 may be implemented, for example, in each gateway of a multi-bus system.
Claims (14)
1. A computer-implemented method (300) for intercepting an intrusion to a bus system (200), comprising:
identifying (310), by means of an Intrusion Detection System (IDS), a frame sent by a further node (140) of the bus system (200) onto a bus (210) of the bus system (200) as an intrusion into the bus system (200);
-sending (320) data onto a receive line (122) of a node device (100) to manipulate signals corresponding to frames arriving via the bus (210) on the receive line (122), wherein the receive line (122) is arranged between a transceiver (110) and a controller (120) of the node device (100).
2. The method (300) of claim 1, wherein the signal is manipulated such that each of a number of recessive bits arriving via the bus (210) is covered by a dominant bit and/or the level on the receive line (122) is set to a certain level over a period of time.
3. The method (300) of claim 1 or 2, wherein a sequence of directly consecutive dominant bits is generated, which sequence is to be received by a controller (120) of the node device (100).
4. The method (300) of any one of the preceding claims, wherein, according to a bus system protocol, the sequence of directly successive dominant bits causes (330) a controller (120) of a node device (100) of the bus system (200) to send an error frame onto the bus (210), thereby invalidating and in particular blocking transmission of a frame identified as an intrusion, thereby intercepting the intrusion on the bus system (200).
5. The method (300) of any preceding claim, wherein the sequence of directly consecutive dominant bits results in a negative result of a Cyclic Redundancy Check (CRC) in a controller (120) of the node device (100) and thereby causes (330) the controller (120) to send the error frame onto a bus (210) according to a bus system protocol.
6. The method (300) as claimed in any of the preceding claims, wherein the Intrusion Detection System (IDS) is designed to recognize an intrusion into the bus system (200).
7. The method (300) as claimed in any of the preceding claims, wherein the Intrusion Detection System (IDS) is designed to recognize an intrusion into the bus system (200), wherein a further node of the bus system (200), in particular the further node (140) of the bus system (200), sends a frame onto the bus (210) with an identifier assigned to a third node (141) of the bus system (200), wherein the third node (141) of the bus system (200) is arranged outside the node device (100).
8. The method (300) of any of the preceding claims, wherein a frame identified as an intrusion is invalidated before an end of frame field of the frame.
9. The method (300) according to any of the preceding claims, wherein sending (320) data onto the receive line (122) is sent out from a processor (130) of the node device (100), wherein the processor (130) is connected to the transceiver 110 via a controller bypass line (124), wherein the receive line (122) and the controller bypass line (124) have a common line portion.
10. The method (300) of claim 9, wherein the processor (130) of the node device (100) comprises the Intrusion Detection System (IDS).
11. A node device (100) for a bus system (200), comprising:
a transceiver (110) designed for connection to a bus (210) of the bus system (200);
a controller (120) connected to the transceiver via a transmission line (121) and via a reception line (122), wherein the controller and the transceiver are designed to transmit data from the controller to the transceiver via the transmission line and from the transceiver to the controller via the reception line;
a processor (130);
an optional Intrusion Detection System (IDS);
wherein the node device (100) is designed to perform the method (300) for intercepting an intrusion into a bus system (200) according to any one of the preceding claims.
12. Node device (100) according to claim 11, wherein the processor (130) of the node device (100) is designed to execute the method (300) for intercepting an intrusion into a bus system (200) according to claim 9 or 10.
13. A bus system (200) comprising:
a bus (210);
at least one node device (100) according to claim 11 or 12, the node device being connected to the bus (210) via a transceiver (110) of at least one node device (100);
at least one further node (140) of the bus system (200), wherein each further node of the bus system (200) comprises a further transceiver, a further controller and a further processor;
optionally at least one further node serves as a third node (141) of the bus system (200).
14. The method (300), node device (100) or bus system (200) according to any one of the preceding claims, wherein the bus system (200) is a Controller Area Network (CAN), a Local Interconnect Network (LIN) or a FLEXRAY network.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102021207685.8 | 2021-07-19 | ||
| DE102021207685.8A DE102021207685A1 (en) | 2021-07-19 | 2021-07-19 | FRAME INVALIDATION IN THE BUS SYSTEM VIA RECEIVE LINE |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115643038A true CN115643038A (en) | 2023-01-24 |
Family
ID=84546848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210840742.XA Pending CN115643038A (en) | 2021-07-19 | 2022-07-18 | Frame invalidation via receive line in bus system |
Country Status (3)
| Country | Link |
|---|---|
| US (1) | US20230013980A1 (en) |
| CN (1) | CN115643038A (en) |
| DE (1) | DE102021207685A1 (en) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10361934B2 (en) | 2015-09-28 | 2019-07-23 | Nxp B.V. | Controller area network (CAN) device and method for controlling CAN traffic |
-
2021
- 2021-07-19 DE DE102021207685.8A patent/DE102021207685A1/en active Pending
-
2022
- 2022-07-08 US US17/860,931 patent/US20230013980A1/en active Pending
- 2022-07-18 CN CN202210840742.XA patent/CN115643038A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| DE102021207685A1 (en) | 2023-01-19 |
| US20230013980A1 (en) | 2023-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210312043A1 (en) | Vehicle communications bus data security | |
| EP3148154B1 (en) | Controller area network (can) device and method for controlling can traffic | |
| EP3772841B1 (en) | A security module for a can node | |
| EP3435617B1 (en) | A node, a vehicle, an integrated circuit and method for updating at least one rule in a controller area network | |
| US10868817B2 (en) | Systems and methods for neutralizing masquerading attacks in vehicle control systems | |
| CN112347022B (en) | Security module for CAN nodes | |
| EP3772839B1 (en) | Security module for a serial communications device | |
| US11394726B2 (en) | Method and apparatus for transmitting a message sequence over a data bus and method and apparatus for detecting an attack on a message sequence thus transmitted | |
| CN112583786B (en) | Method for alarming, transmitter device and receiver device | |
| CN115643038A (en) | Frame invalidation via receive line in bus system | |
| US20220321583A1 (en) | Frame invalidation in the bus system including intrusion detection system | |
| EP4068721B1 (en) | Controller area network device | |
| US12028184B2 (en) | Controller area network module and method for the module | |
| Galletti | CANguru: a reliable intrusion detection system for CAN and CAN FD networks | |
| CN117749555A (en) | Controller area network system and method for the same | |
| CN116266804A (en) | Device for a controller area network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |